Google Found Disastrous Symantec and Norton Vulnerabilities That Are 'As Bad As It Gets'

Google’s “project zero” team, a group of security analysts tasked with hunting for computer bugs, discovered a heap of critical vulnerabilities in Symantec(symc) and Norton security products. The flaws allow hackers to completely compromise people’s machines simply by sending them malicious self-replicating code through unopened emails or un-clicked links.

The vulnerabilities affect millions of people who run the company’s endpoint security and antivirus software, rather ironically to protect their devices. Indeed, the flaws rendered all 17 enterprise products (Symantec brand) and eight consumer and small business products (Norton brand) open to attack.

In the words of Tavis Ormandy, an English hacker who works on the Google(goog) team: “These vulnerabilities are as bad as it gets”—and have “potentially devastating consequences.”

“An attacker could easily compromise an entire enterprise fleet using a vulnerability like this,” Ormandy writes on a Google blog. “Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”

Ormandy’s post published soon after Symantec issued advisories of its own, which credit him for reporting the bugs. “An attacker could potentially run arbitrary code by sending a specially crafted file to a user,” the notice warns, before mentioning that the company has “verified these issues and addressed them in product updates.”

For more on Symantec, watch:

The vulnerabilities affect a “decomposer engine”—a program that unpacks compressed files in order to help scan for potentially malicious ones—that’s used across Symantec’s products. “It’s extremely challenging to make code like this safe,” Ormandy writes. To avoid such problems, Ormandy recommends that security vendors use sandboxing, a technique that detonates suspicious code in a secure, virtual environment, as well as security-first software development strategies.

Ormandy further demonstrated that the flaws can be exploited to propagate computer worms, meaning virally infectious malware. “Just emailing a file to a victim or sending them a link to an exploit is enough to trigger it,” he says, “the victim does not need to open the file or interact with it in anyway.”